Quick Links

PostgreSQL 2010-10-05 Security Update

Posted on 2010-10-05

The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL object-relational database system, including versions 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22, 8.0.26 and 7.4.30. This is the final update for PostgreSQL versions 7.4 and 8.0.

Users of PL/perl and PL/tcl procedural languages and SECURITY DEFINER should update their installations immediately. All other database administrators are urged to update your version of PostgreSQL at the next scheduled downtime.

Minor releases 7.4.30 and 8.0.26 are the final releases for PostgreSQL 7.4 and 8.0 as both versions are no longer supported. The PostgreSQL community will also stop releasing updates for version 8.1 later this year. Users are encouraged to upgrade to a newer version as soon as possible. See our release support policy:

The security vulnerability allows any ordinary SQL users with "trusted" procedural language usage rights to modify the contents of procedural language functions at runtime. As detailed in CVE-2010-3433, an authenticated user can accomplish privilege escalation by hijacking a SECURITY DEFINER function (or some other existing authentication-change operation). The mere presence of the procedural languages does not make your database application vulnerable.

As with other minor releases, users are not required to dump and reload their database in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Users skipping more than one update may need to check the release notes for extra, post-update steps.